The Xceptional Blog

Google Workspace vs Microsoft 365: Which platform is more secure?

Written by Natalie Bertalotto | Apr 7, 2021 4:45:08 PM

Cloud-based productivity platforms have become a popular option for many small and medium sized businesses. The accessibility and collaboration options these platforms provide is unparalleled and it’s not hard to see why their adoption rates are booming. But there are many factors that you need to consider when looking at choosing the right business productivity suite for your business. Some of them are surely functionality, design, ease of use, scalability...and then there’s security. 

In the ever-lasting Google Workspace vs Microsoft 365 debate, security can often come as an afterthought while it is truly one of the most important features you need to consider when choosing the right platform. 

We have touched on security when we were taking a deep dive and dissecting each feature and aspect of Google Workspace and Microsoft 365, but now is the time to take a closer look at all of the security controls, features and capabilities these two platforms bring to the table. 

Email security

Email is so widely used across all businesses that it has been an everyday part of our lives. Because of this, it is also very useful to cyber criminals as a gateway to intrude your network.

Protecting your email is becoming crucial due to the heightened number of cybersecurity threats such as social engineering attacks that target companies of all sizes via email. Prime examples for this are phishing emails that have a reported 600% increase since the start of 2020, and they show no sign of stopping. Falling victim to a phishing attack can lead to cyber criminals infiltrating your company network and getting a hold of your sensitive data. Not a scenario you want to find yourself in, so thinking of email security when choosing your business productivity suite should be one of your top priorities.

For their email services, Google Workspace offers Gmail and Microsoft 365 has Outlook on their side. While we went into specifics about similarities and differences between the two, now is the time to take a closer look at how well they are able to protect your company’s email accounts.

Google Workspace 

Google Workspace and Gmail as a default provide phishing and spam protection that stops more than 99.9% of attacks. What else is default is the flagging of untrustworthy emails and sending them to the spam folder.

Gmail allows IT administrators to help users avoid phishing attacks by implementing Password Alert extension which detects if users are using their Google password to sign in to suspicious websites.

Further protecting your email from phishing, administrators can set custom rules and protect against phishing and malware that can come in the form of suspicious links and attachments in incoming emails. Admins can choose which action to take based on the detected threat and all security settings can be tailored for different users. 

When it comes to Enterprise plans, administrators can define custom rules that require email addresses to be encrypted with Secure/Multipurpose Internet Mail Extension (S/MIME). 

For companies or specific users that might be under risk of targeted attacks, the Advanced Protection Program provides a much stronger protection with a specific set of policies that include security key enforcement, blocking access to untrusted applications and enhanced scanning for email threats. 

Microsoft 365

When looking at security in emails, Microsoft’s Outlook has Exchange Online Protection that comes with all of their business plans. Exchange Online Protection protects your business email against spam, malware and known threats with near real-time reporting and message tracing so the status of any email can be instantly. 

For encryption of email messages, Enterprise plans in Microsoft 365 offers Office 365 Message Encryption which allows you to send encrypted and rights protected messages to people inside and outside your organization, and encrypted email to anyone, regardless of their email address. To further enhance email security, Message Encryption allows for communication through a Transport Layer Security. 

Some of the newer added capabilities to their Message Encryption are the ability of end-users to control, easily encrypt and apply rights management templates.

 

Data security and privacy

In order to operate a company of any size, whether an enterprise or a startup, it needs to protect their intellectual property, internal data and customer information — their sensitive data. There are many reasons why data security and privacy are important for businesses: it helps reduce the chances of a potential data breach,  it can prevent loss of revenue, it protects customer privacy, improves brand image and value and even gives competitive advantage. 

In today’s age, maintaining privacy of sensitive information your customers divulged to you is crucial and both Google and Microsoft go to great lengths to ensure it. Let’s see how exactly they do it. 

Google Workspace 

While Google has come under scrutiny related to their user data collection for advertisement purposes, it’s important to remember that these privacy concerns don’t apply to business and enterprise accounts. 

Google Workspace encrypts your data at several levels and protects any communication and data transmissions with internal and external parties. For administrators, Google Workspace allows them to set up a data loss prevention policy (DLP) to protect sensitive information in Gmail and Drive. When the policy is in place, administrators can easily audit files with sensitive content and configure rules to warn and even prevent users from sharing them. 

In their Business Plus and Enterprise plan, Google has a powerful tool in its arsenal — Google Vault. Vault is an information governance tool that allows you to retain, hold, search and export users’ Google Workspace data. You can preserve data for a set of time and configure Vault to retain it, remove the data when you no longer need it and control who can access Vault to ensure only authorized users have access to your company’s data.

Microsoft 365

For data security and privacy, Microsoft 365 isn’t a lightweight either. When people in your company collaborate with others both inside and outside of the company, sensitive data no longer stays safe behind your firewall. Microsoft makes sure that data is protected with their sensitivity labels in the Microsoft Information Protection solution. 

While on the topic of Microsoft Information Protection, this is a solution that allows you to classify and protect sensitive data in your company. With enabling the Data Loss Prevention policy, you can automatically identify, monitor and protect your users’ sensitive information. 

To help protect against more sophisticated threats, Microsoft has the Microsoft Defender for Office 365. Microsoft Defender allows for easy wipe of company data from lost or stolen devices, restricting the copying or saving of company information to unauthorized apps and control who has access to company information.

 

Compliance 

While securing and maintaining privacy of their sensitive data, companies are oftentimes obliged to meet legal and regulatory compliance when it comes to data security. Penalties for noncompliance can be so severe that they can lead to businesses shutting down, if the cost of the leaked data doesn’t do it on its own.  

As regulations apply to all data, including the digital one, companies are concerned about compromising their compliance when choosing their business productivity suite. This is why it’s important that we brush over the compliance certifications and standards Google Workspace and Microsoft 365 adhere to. 

Google Workspace 

Google offers security with certifications and third-party audits, documentation and legal obligations to support those needs. Google solutions, including Workspace have regular audits and fully adhere to the following (main) compliance standards, and then some more: 

  • SOC1™ 
  • SOC2™
  • SOC3™
  • ISO27001
  • ISO27017
  • ISO27018
  • ISO27701
  • HIPAA
  • FedRAMP
  • FERPA
  • COPPA
  • EU Data Protection Directive and GDPR

Microsoft 365

Microsoft has their Microsoft 365 compliance center that allows you to see how your company is doing with data compliance and if there are any alerts on data misuse and non-compliance. Just like Google, they adhere to all of the main compliance standards:

  • ISO 27001
  • ISO27018
  • SOC1 Type II & SOC2 Type II
  • FISMA
  • HIPAA
  • EU Data Protection Directive and GDPR
  • CJIS
  • DFARS
  • FedRamp

 

User authentication

Your network is only as secure as your weakest link which are, in most cases, your employees and users on the network. With the rise of remote work, many workers now access company networks over numerous devices and from different locations. This opens up entry points for cyber criminals that became quite adept at stealing login credentials and using them to access your company network. Proving a user’s identity and making sure only authorized users can access certain areas of your network is important, as not all users need access to all areas. Your business productivity platform should allow you to control and maintain security through proper user authentication. 

Furthermore, many companies that use Google Workspace or Microsoft 365 tend to not have all apps available to every employee — some only need access to email, spreadsheets or a combination of some of the apps. To make sure employees have secure access to apps they need in their day-to-day tasks, Google Workspace and Microsoft 365 have their own ways of ensuring it: 

Google Workspace 

Starting from the basics, Google Workspace offers 2-step verification that can be applied to all users and can detect any suspicious logins. Based on multiple security factors, Google determines which type of login authorization will be taken: mobile device login, employee ID or recovery email login. If a suspicious login is detected, the IT administrator is notified so further measure can be taken to ensure the security of the user’s account. 

Google Workspace also allows administrators the ability to enforce strong password policies for all users that would require them to have passwords of certain complexity, number of characters, numbers and how often they need to be changed. As an administrator, you can also reset users’ accounts. 

Microsoft 365

When it comes to user authentication, Microsoft 365 comes armed with multi-factor authentication. With MFA instead of just 2FA (two-factor authentication) users need to be verified not only, for example, with their email, password and an SMS code, but also with using the Microsoft Authenticator app on their mobile device. 

In Microsoft 365, admins also have the ability to enforce password policies, reset passwords and all the other options available at Google Workspace too. 

 

Final verdict

When having to give an answer to the question of which platform is inherently better, there is no unified answer that will be true for each company. If you have been following us from the start of our Google Workspace vs Microsoft 365 series, you can deduce that Google Workspace truly is a better solution for small business and startups due to its ease of use, collaboration, design and even straightforwardness. When it comes to security, it is a close tie. 

Both Google and Microsoft have a strong regard for security and data privacy, so with this in mind, you wouldn’t go wrong with choosing either platform. What is important though, is looking at the full picture. What are your other needs? Revisit our Google Workspace benefits post, discover all the detailed similarities and differences between two suites and even see how they can be used together

Still not sure what business productivity suite is right for you? Contact us and let us help you discover the cloud-based productivity platform perfectly aligned with your business needs.